[metadata]
id = "FIO45-C"
type = "recommendation"
category = "FIO"
number = 45
title = "Avoid TOCTOU race conditions while accessing files"
description = """
ATOCTOU(time-of-check, time-of-use)race condition is possible when two or more
concurrent processes are operating on a shared file system [Seacord 2013b].
Typically, the first access is a check to verify some attribute of the file,
followed by a call to use the file. An attacker can alter the file between the
two accesses, or replace the file with a symbolic or hard link to a different
file. These TOCTOU conditions can be exploited when a program performs two or
more file operations on the same file name or path name. A program that performs
two or more file operations on a single file name or path name creates a race
window between the two file operations. This race window comes from the
assumption that the file name or path name refers to the same resource both
times. If an attacker can modify the file, remove it, or replace it with a
different file, then this assumption will not hold. If an existing file is
opened for writing with thewmode argument, the file's previous contents (if any)
are destroyed. This noncompliant code example tries to prevent an existing file
from being overwritten by first opening it for reading before opening it for
writing. An attacker can exploit the race window between the two calls
tofopen()to overwrite an existing file.
"""
severity = "High"
likelihood = "Probable"
priority = "P6"
level = "L2"
cert_version = "2016 Edition (Wiki)"
last_modified = "Unknown"
[rules.cert_c.FIO45-C]
enabled = true
[references]
wiki = "https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files"